How is CVE-2026-10829 exploited?

Network reachability (required): The attacker must reach the device's web management interface over the network; the vulnerable parameter is exposed through the web service. Authentication (required): Admin-level credentials are required to access the Basic settings page where the vulnerable "Server location" parameter is exposed. Victim interaction (not-required): No victim interaction is needed; the attacker sends crafted input directly to the web service without any user action. Attack complexity (info): Exploit conditions are straightforward and require no race conditions or specific environmental dependencies, making a reliable exploit achievable once credentials are obtained.

What is the impact of CVE-2026-10829?

The attacker gains remote code execution on the target device running as root, giving full control over the system. All data processed or stored on the device, including serial communication traffic and configuration secrets, is readable by the attacker. The attacker can modify device configuration, firmware, or forwarded serial data, corrupting the integrity of connected industrial or networking equipment. The attacker can crash or restart the device, disrupting serial-to-network communication for all connected endpoints.

Back to search

HIGHCVE-2026-10829Published 2026-06-16Modified 2026-06-16CNA Moxa

CVE-2026-10829: A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1

A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier. This vulnerability stems from insufficient input validation of user-supplied input in the "Server location" parameter on the Basic settings page. An attacker could exploit this vulnerability by sending crafted input to the web service, resulting in memory corruption. Successful exploitation of this vulnerability could allow remote code execution on the target system with root privileges.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the Moxa NPort W2150A-W4/W2250A-W4 Series (firmware version 1.5 and earlier) and the NPort W2150A/W2250A Series (firmware version 2.3 and earlier). The vulnerability is reachable over the network by an authenticated attacker with admin-level credentials, triggered by sending crafted input to the "Server location" parameter on the device's Basic settings page. Successful exploitation causes memory corruption that gives the attacker remote code execution with root privileges on the affected device. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-10829 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle affected Moxa firmware or management tooling.

Available

Triage

Triage is available with CVSS v4.0 scoring at 8.6 (HIGH), weighted against each environment's compliance policy to surface the finding to the appropriate team inbox inside each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Moxa advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's web management interface over the network; the vulnerable parameter is exposed through the web service.
AuthenticationRequired
Admin-level credentials are required to access the Basic settings page where the vulnerable "Server location" parameter is exposed.
Victim interactionNot required
No victim interaction is needed; the attacker sends crafted input directly to the web service without any user action.
Attack complexityDetail
Exploit conditions are straightforward and require no race conditions or specific environmental dependencies, making a reliable exploit achievable once credentials are obtained.

Blast Radius

The attacker gains remote code execution on the target device running as root, giving full control over the system.
All data processed or stored on the device, including serial communication traffic and configuration secrets, is readable by the attacker.
The attacker can modify device configuration, firmware, or forwarded serial data, corrupting the integrity of connected industrial or networking equipment.
The attacker can crash or restart the device, disrupting serial-to-network communication for all connected endpoints.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no fix version currently published. HarborGuard monitors the Moxa advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as an upstream fix is confirmed. In the meantime, customers are advised to apply compensating controls: restrict network access to the device's web management interface using network policy rules or firewall egress filtering, enforce the principle of least privilege on admin accounts, and consider placing affected devices behind a management VLAN with no direct external exposure. When a fix is published, customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads without manual intervention.

See how HarborGuard automates this

Affected packages

Moxa / NPort W2150A-W4/W2250A-W4 Series
≤ 1.5
Moxa / NPort W2150A/W2250A Series
≤ 2.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

moxa.com

Metrics

Get notified